July 3 arrives with a threat landscape that demands immediate attention across multiple attack surfaces simultaneously. Ransomware operators are combining old and new techniques into sophisticated kill chains, identity-based attacks are bypassing MFA in seconds, a critical SharePoint flaw is being actively weaponized, and a consumer IoT device carries a perfect CVSS 10.0 score. Defenders who treat these as isolated incidents will miss the bigger picture: adversaries are chaining initial access, lateral movement, and persistence faster than ever.
The most operationally urgent story is the active exploitation of Citrix Bleed 2, tracked as CVE-2025-5777, by the ransomware group Anubis. This vulnerability targets Citrix NetScaler appliances and allows attackers to gain initial access without valid credentials. What makes this campaign particularly dangerous is the layered tradecraft that follows: once inside, Anubis operators deploy Bring Your Own Vulnerable Driver techniques to disable endpoint detection tools at the kernel level, abuse legitimate remote monitoring and management software to blend into normal IT traffic, and harvest credentials stolen from supply chain partners to accelerate lateral movement. Organizations that have not patched their NetScaler infrastructure are effectively leaving the front door open to a group that knows exactly how to move quietly once inside.
Running in parallel is a surge in ConsentFix and ClickFix attacks targeting Microsoft 365 environments. These campaigns do not steal passwords. Instead, they present users with convincing fake OAuth consent prompts or UI-deception overlays that trick them into granting a malicious application access to their authenticated session tokens. Because the attacker captures a live token rather than a credential, MFA provides no protection after the fact. The account is compromised within seconds of the user clicking approve. This is a fundamental shift in how identity attacks work, and it means that MFA alone is no longer a sufficient control for protecting cloud productivity environments.
Microsoft SharePoint Server is also under active attack. CVE-2026-45659, a deserialization of untrusted data vulnerability, has been added to the CISA Known Exploited Vulnerabilities catalog after confirmed exploitation in the wild. Deserialization flaws are particularly severe because they can allow remote code execution on the server without authentication in some configurations, giving attackers a foothold directly inside the network perimeter. SharePoint is deeply embedded in enterprise environments and often holds sensitive documents, making it a high-value target for both ransomware staging and data exfiltration.
Finally, CISA disclosed multiple critical vulnerabilities in the Gardyn IoT Hub, carrying a maximum CVSS score of 10.0. Hard-coded credentials and sensitive data exposure in Home Firmware, Studio Firmware, and Cloud API versions below 2.12.2026 allow unauthenticated remote access to the device and anything it manages. While Gardyn is a consumer-facing product, IoT devices frequently appear on corporate and guest networks, and a compromised IoT hub can serve as a pivot point into broader network segments.
Defensive Priorities
- Patch Citrix NetScaler immediately for CVE-2025-5777. If patching cannot happen within 24 hours, isolate the appliance from external access and review NetScaler session logs for anomalous authentication patterns and unexpected session token reuse.
- Hunt for BYOVD indicators by auditing kernel driver loads for known vulnerable drivers. Enable Windows Defender Credential Guard and enforce driver blocklist policies via Windows Defender Application Control or equivalent controls.
- Audit all OAuth applications authorized in your Microsoft 365 tenant. Revoke permissions for any application that cannot be verified as sanctioned. Enable Conditional Access policies that restrict OAuth consent to admin-approved apps only, and deploy user-facing training on recognizing fake consent prompts.
- Apply the Microsoft SharePoint patch for CVE-2026-45659 without delay. If on-premises SharePoint is internet-facing, place it behind a web application firewall with deserialization attack signatures enabled and restrict access to known IP ranges where operationally feasible.
- Inventory all IoT devices on your network, including guest and OT segments. Any Gardyn IoT Hub running firmware or Cloud API below version 2.12.2026 must be updated immediately or network-isolated. Enforce network segmentation so IoT devices cannot reach internal servers or domain controllers.
- Increase monitoring on RMM tool usage. Establish a baseline of which RMM tools are authorized, from which endpoints they run, and during which hours. Alert on any RMM binary executing outside that baseline, as Anubis and similar groups rely on tool abuse to avoid detection.
- For supply chain credential risk, enforce phishing-resistant MFA such as FIDO2 keys for all privileged accounts and third-party vendor access. Review VPN and remote access logs for logins originating from unusual geographies or at unusual hours.
The convergence of these threats on a single day is a reminder that adversaries operate across multiple vectors simultaneously, and defenders must do the same. Prioritize patching, harden identity controls, and increase visibility into lateral movement indicators across your environment.
This briefing is informational and for situational awareness only; always consult official vendor advisories and CISA guidance for authoritative remediation instructions.
// security blog · score 578
Ransomware, Token Hijacking, and RCE: July 3 Threat Briefing for Defenders
2026-07-03 · Auto-approved security content
A wave of critical threats converged this week, from Citrix Bleed 2 ransomware campaigns and Microsoft 365 session hijacking to actively exploited SharePoint RCE and a perfect-10 IoT vulnerability. Here is what your team needs to know and do right now.